Blue Cross N.C. questioned about data sharing

Published: Monday, July 15, 2013 at 11:43 AM.

THE ASSOCIATED PRESS

Blue Cross and Blue Shield of North Carolina shares private information of hundreds of thousands of its clients to an outside company that helps design its software.

The company told The News & Observer of Raleigh that it protects the information, which includes names, addresses, Social Security numbers and medical data, with limited access, hardware and software that control how the data is used and strict contracts. The company also points out it has never had a security breach.

Blue Cross and Blue Shield of North Carolina shares private information of hundreds of thousands of its clients to an outside company that helps design its software.

The company told The News & Observer of Raleigh that it protects the information, which includes names, addresses, Social Security numbers and medical data, with limited access, hardware and software that control how the data is used and strict contracts. The company also points out it has never had a security breach.

But some computer experts said the practice is dangerous and recommend the insurer look at scrambling the data before sharing it.

Blue Cross is the biggest private health insurer in North Carolina, with 3.7 million members. Its customers include the State Employees Health Plan and Duke Energy Progress.

The company's data is periodically sent to DST Healthcare, its software designer, which is headquartered in Missouri, said Blue Cross and Blue Shield chief information officer Jo Abernathy. In 2010, the company selected 845,861 clients and sent their complete data to DST, according to a 2010 memo.

"Security is a very high priority at Blue Cross. We can't do business if we can't demonstrate our ability to protect customer data," Abernathy said.

The company's president and CEO, Brad Wilson, issued a statement on Saturday that the company exceeds what's required under federal and state laws to keep the data safe. Wilson said the company's business partners must follow the same requirements.

"Our use of protected health data complies with laws, regulations and our own high standards. We exceed industry standards by using multiple layers of data security to protect our customers' personal information from accidental, unauthorized or illegal access or transfer," he said.

But Gary McGraw, chief technology officer at Cigital, said any time data is released from inside a company it run a risk of being compromised. He recommends companies never use real data to run tests.

While insurance companies often share medical information with other health care companies, doctors and pharmacies, outside vendors are a different matter, said Robert Gellman, a privacy consultant from Washington, D.C.

"It's pretty dumb to give it to a contractor to build software," Gellman said. "You could find another way rather than send raw data. If there is a theft, someone steals a computer, takes home a memory stick, then you have a data breach, and it's very expensive, millions of dollars, to remediate a data breach."

Blue Cross competitor Cigna said it scrambles or masks data before sharing it, while Aetna said it shares private health information only in limited circumstances similar to Blue Cross.